Action Summary

Financial institutions should implement the appropriate physical
and logical security controls to ensure retail payment system
transactions are processed, cleared, and settled in an accurate,
timely, and reliable manner. Security risk assessments should
consider physical and logical security controls for the
origination, approval, transmission, and storage of retail payment
system transactions. Risk assessments should include service
providers, third-party originators, and external networks that
process, store, or transport customer data. Physical controls
should limit access to only those staff assigned responsibility for
supporting the operations and business line centers that process
retail payment and accounting transactions. Physical controls
should also provide for the ability to monitor and document access
to these facilities. Logical controls should include
identifying and authenticating retail payment system customers to
help ensure the integrity of the payments. Particular
attention to data security is required for emerging
technologies.

Financial institutions should implement the appropriate physical
and logical security controls to ensure retail payment system
transactions are processed, cleared, and settled in an accurate,
timely, and reliable manner. Retail payment systems contain
confidential customer information subject to GLBA section 501(b)
security guidelines. Payments data may also be subject to the
requirements of the Payment Card Industry Data Security Standard
(PCI DSS). More information on PCI Data
Security Standards may be found at the website: www.pcisecuritystandards.org.
The board and management are responsible for protecting the
confidentiality, integrity, and availability of these systems and
data. The privacy risk combined with the funds transfer
capability should cause these systems to rank high in all
institutions' information security risk assessments. The risk
assessments should consider physical and logical security controls
for the origination, approval, transmission, and storage of retail
payment system transactions.

Physical controls should limit access to sensitive areas to staff
assigned responsibility for supporting the operations and business
line centers that process retail payment and accounting
transactions. Physical controls should also provide for
monitoring and documenting access to these facilities.

Management should assign appropriate logical access to staff
responsible for retail payment-related services and should base
access rights on the need to separate the duties of personnel
responsible for originating, approving, and processing the
transactions. Appropriate identification and authentication
techniques include requiring unique authenticators for each staff
member with strong password requirements.

Logical access controls should permit access on a need-to-know
basis and should assign access to retail payment applications and
data based on functional job duties and requirements. Logical
access controls should also protect network access. An
institution's risk assessment should require protection of retail
payment systems from unauthorized access through appropriate access
controls, network and host configuration, operation, firewalls, and
intrusion detection and monitoring. The risk assessment
should also review the security of all third-party service
providers. Some institutions accomplish this by isolating all
payment-related applications and systems from other production
applications.

A critical element in ensuring retail payment systems integrity is
the appropriate identification and authentication of retail payment
system customers. Transaction authorization (e.g., the
approval of a funds transfer or guarantee of funds) is an essential
precondition leading to the interbank transfer of funds.
Financial institutions should establish an adequate internal
control environment for the issuance of bankcards and related
PIN. These controls can minimize processing errors and fraud
and protect the confidentiality of customer and institution
information.

The use of newer and emerging technologies presents new security
challenges. As new retail payment products and services are
developed, it may become necessary to modify methods for customer
identification and authentication to ensure their
effectiveness.

Many electronic banking applications use Internet-based, open
network standards and rely on commonly accepted technologies to
secure transmissions (e.g., secure socket layer [SSL] or other
virtual private network [VPN]). The institution should
establish a secure session before consumers can submit their
personal banking information, and should maintain the secure
session until the time of final data transmission.

Retail payment systems should incorporate sufficient security
procedures and controls to verify the integrity of the data, the
confidentiality of the transmission, and the authenticity of the
communication partners and data sources. The selection and
use of authentication technologies and methods should depend upon
the results of a financial institution's risk assessment
process. Where risk assessments indicate that the use of
single-factor authentication is inadequate, financial institutions
should implement multifactor authentication, layered security, or
other controls reasonably calculated to mitigate those risks.
Single factor authentication alone is inadequate for high-risk
transactions involving access to customer information or the
movement of funds to other parties. Using digital
certificates, leveraging the public key infrastructure (PKI),
employing biometrics and card or token-based techniques can provide
cost-effective solutions for augmenting traditional technical
controls. FFIEC Guidance "Authentication in
an Internet Banking Environment," October 2005
& "Authentication in an Internet Banking Environment -
Supplement" June 2011.

Institutions that participate in payment card systems should
develop processes to ensure compliance with the PCI DSS. This
standard is discussed further in the "Merchant Acquiring"
section.

Institutions should have a response program in place that addresses
security breaches, including incidents with their third-party
servicers. The program should include the investigation,
customer notification, if applicable, and reporting processes for
regulatory and law enforcement agencies.